package com.lg.atp.sercurity;



import java.io.IOException;

import javax.annotation.PostConstruct;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.SecurityMetadataSource;
import org.springframework.security.access.intercept.AbstractSecurityInterceptor;
import org.springframework.security.access.intercept.InterceptorStatusToken;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.FilterInvocation;
	/**
	* 核心的InterceptorStatusToken token = super.beforeInvocation(fi);
	* 会调用我们定义的accessDecisionManager:decide(Object object)
	* 和securityMetadataSource:getAttributes(Object object)方法。
	* 自己实现的过滤用户请求类，也可以直接使用 FilterSecurityInterceptor
	*/
public class MySecurityFilter extends AbstractSecurityInterceptor implements Filter {
	
	//与applicationContext-security.xml里的myFilter的属性securityMetadataSource对应，
	//其他的两个组件，已经在AbstractSecurityInterceptor定义
		@Autowired
		private MySecurityMetadataSource mySecurityMetadataSource;
		@Autowired
		private MyAccessDecisionManager myAccessDecisionManager;
		@Autowired
		private AuthenticationManager authenticationManager;
	
		@PostConstruct
		public void init(){
			super.setAuthenticationManager(authenticationManager);
			super.setAccessDecisionManager(myAccessDecisionManager);
	
		}
	
		@Override
		public SecurityMetadataSource obtainSecurityMetadataSource() {
	
			return this.mySecurityMetadataSource;
	
		}
	
		@Override
		public void doFilter(ServletRequest request, ServletResponse response,
				FilterChain chain) throws IOException, ServletException {
			
			FilterInvocation fi = new FilterInvocation(request, response, chain);
			invoke(fi);
		}
	
		private void invoke(FilterInvocation fi) throws IOException, ServletException {
			InterceptorStatusToken token = null;
			try {
		
				token = super.beforeInvocation(fi);
				fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
			} catch (AuthenticationException authenticationException) {
		
			}finally {
				super.afterInvocation(token, null);
			}
		}
	
	public void init(FilterConfig arg0) throws ServletException {
	
	
	}
	
	public void destroy() {
	
	}
	
	@Override
	public Class<? extends Object> getSecureObjectClass() {
	
	//下面的MyAccessDecisionManager的supports方面必须放回true,否则会提醒类型错误
	return FilterInvocation.class;
	
	}
	
	}